Skip to main content

LearnPress Backup & Migration CVE-2026-7566

| EUVD-2026-34947 MEDIUM
Deserialization of Untrusted Data (CWE-502)
2026-06-06 Wordfence GHSA-4jj4-xwhh-x5m2
PHP Information Disclosure Deserialization WordPress
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 03:56 vuln.today
CVE Published
Jun 06, 2026 - 02:28 nvd
MEDIUM 6.6

DescriptionCVE.org

The LearnPress - Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

AnalysisAI

PHP Object Injection in the LearnPress - Backup & Migration Tool WordPress plugin (versions ≤ 4.1.4, by ThimPress) allows authenticated administrators to supply maliciously crafted serialized data through the plugin's import functionality, triggering unsafe PHP deserialization. The vulnerability itself carries no direct impact in isolation - exploitation is contingent on a separate plugin or theme installing a usable POP (Property-Oriented Programming) chain on the same site, at which point an attacker can escalate to arbitrary file deletion, sensitive data retrieval, or remote code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress admin credentials
Delivery
Craft malicious serialized PHP object payload
Exploit
Upload payload via LearnPress import feature
Execution
Trigger unsafe PHP deserialization at parsers.php or class-lp-import-learnpress.php
Persist
Invoke POP chain magic methods from co-installed plugin
Impact
Execute arbitrary code or delete files on server
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with WordPress administrator-level privileges (PR:H confirmed by CVSS vector) - a non-default, high-privilege role not held by subscribers, contributors, or editors. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.6 is supported by the vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained WordPress administrator credentials - through credential stuffing, phishing, or a separate account-takeover vulnerability - navigates to the LearnPress import interface and uploads a crafted backup file containing a serialized PHP payload. When the plugin processes the import at class-lp-import-learnpress.php or parsers.php, PHP's unserialize() instantiates the attacker's injected object and triggers magic methods belonging to a POP chain supplied by another installed plugin (e.g., a file manager plugin exposing a __destruct method that writes arbitrary files), ultimately achieving remote code execution or file deletion on the server. …
Remediation Update the LearnPress - Backup & Migration Tool plugin to version 4.1.5 or later; this version is referenced in the WordPress plugin repository (https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.5/inc/functions.php#L384) and is the earliest tag post-4.1.4, suggesting it contains the fix, though the patched version has not been independently confirmed via a formal vendor changelog. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-7566 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy